This guide will walk you through setting up Single Sign-On (SSO) with Google Workspace for Genow. This integration allows your users to sign in using their Google Workspace credentials.Prerequisites
- A Google Workspace account
- A Google Cloud Project
- Administrator access to your Genow instance
Step 1: Project Setup
- If Genow runs in a different tenant than your Google Workspace:
- If Genow runs in the same tenant as your Google Workspace:
- Use the existing Genow platform project
- In Google Cloud Console, navigate to APIs & Services > Credentials
- Click Create Credentials > OAuth client ID
- Configure the OAuth consent screen:
- User Type: Internal
- App name: “Genow SSO”
- User support email: Your admin email
- Developer contact information: Your contact email
- Create OAuth 2.0 Client ID:
-
Application type: Web application
-
Name: “Genow SSO”
-
Authorized JavaScript origins: Add your Genow platform’s identity platform origins
-
Authorized redirect URIs: Add your Genow platform’s identity platform redirect URIs
Note: The exact origins and redirect URIs will be provided by your Genow platform administrator
- Click Create
- Save the generated:
-
Log in to your Genow instance as an administrator
-
Add the following information to the Genow Platform’s Secret Manager:
FIREBASE_CLIENT_ID: Your Google Client IDFIREBASE_CLIENT_SECRET: Your Google Client Secret
-
After adding the secrets, run the following commands to update the infrastructure:
# Update Terraform Configuration
terraform apply
# Run CI/CD pipeline to apply changes for your genow application
-
Wait for the infrastructure updates to complete
Step 4: Test the Integration
- Sign out of Genow
- Click the “Sign in with Google” button
- You should be redirected to Google’s login page
- After successful authentication, you should be redirected back to Genow
Important Notes
- The authentication is handled through Google’s OAuth 2.0 protocol
- We recommend providing access to your Google Cloud project to our support team for better assistance
- Additional documentation for application roles and user permissions will be provided separately
Troubleshooting
If you encounter any issues:
- Verify all configuration values are correct
- Ensure the authorized origins and redirect URIs match exactly
- Check that users exist in both systems
- Review the Genow logs for any error messages
- Verify that the OAuth consent screen is properly configured
- Confirm that the project has the necessary APIs enabled
Security Considerations
- Regularly rotate the client secret
- Monitor sign-in logs for suspicious activity
- Keep your Google Cloud project secure
- Review and audit user access regularly
- Consider implementing additional security measures like 2FA
This guide will walk you through setting up Single Sign-On (SSO) with Microsoft Entra ID (formerly Azure AD) for Genow. This integration allows your users to sign in using their Microsoft Entra ID credentials.Prerequisites
- A Microsoft Entra ID tenant
- Administrator access to your Genow instance
- Sign in to the Azure Portal
- Navigate to Microsoft Entra ID > App registrations
- Click New registration
- Fill in the following details:
- A name for the application, e.g.: “Genow - PRD”
- Supported account types: “Accounts in this organizational directory only”
- Redirect URI - Single-page application (SPA):
https://your-genow-instance.cloud
- Click Register
- In your new app registration, go to Authentication
- Under “Platform configurations”:
- Remove any existing “Web” platform configuration
- Add “Single-page application” as platform configuration
- Enter your application URLs:
- Application URL:
https://your-genow-instance.cloud/login
- Redirect URIs:
-
https://your-genow-instance.cloud/login
-
https://your-genow-instance.cloud
Note: The URLs may differ based on your setup. Please ensure you add the correct URLs for your instance.
- Under “Implicit grant and hybrid flows”, ensure that both are disabled:
- Access tokens (used for implicit flows)
- ID tokens (used for implicit and hybrid flows)
- Go to API permissions
- Add the following Microsoft Graph permissions:
User.Reademailprofileopenid
- Click Grant admin consent
- In your app registration, go to Expose an API
- Add a new scope:
-
Scope name:
genow
-
Base URI:
api://your-application-id
Note: Replace your-application-id with your actual application ID
- In your app registration, note down:
- Application (client) ID
- Directory (tenant) ID
- Provide these information into your Genow platform to Certificates & secrets
-
Log in to your Genow instance as an administrator
-
Add the following information to the Genow Platform’s Secret Manager:
AZURE_CLIENT_ID: Your application (client) IDAZURE_CLIENT_SECRET: Your client secretAZURE_TENANT_ID: Your directory (tenant) ID
-
After adding the secrets, run the following commands to update the infrastructure:
# Update Terraform configuration
terraform apply
# Run CI/CD pipeline to apply changes for your Genow application
-
Wait for the infrastructure updates to complete
Step 6: Test the Integration
- Sign out of Genow
- Click the “Sign in with Microsoft” button
- You should be redirected to Microsoft’s login page
- After successful authentication, you should be redirected back to Genow
Important Notes
- The authentication is handled through the Microsoft Authentication Library (MSAL)
- We recommend providing access to your Entra ID application to our support team for better assistance
- Additional documentation for application roles and user permissions will be provided separately
Troubleshooting
If you encounter any issues:
- Verify all configuration values are correct
- Ensure the redirect URIs match exactly
- Check that users exist in both systems
- Review the Genow logs for any error messages
- Verify that implicit grant and hybrid flows are disabled
- Confirm that the API scope is correctly configured
Security Considerations
- Regularly rotate the client secret
- Monitor sign-in logs for suspicious activity
- Keep your Microsoft Entra ID tenant secure
- Review and audit user access regularly
Finally, there is the option for users to log in with their email address and password. Either we or you can set up the users via Firebase. In this case, specific permissions are assigned via the Genow platform.
